Software / code / prosody
Changeset
12742:126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
This is a security improvement, to ensure that sessions authenticated using a
token (note: not currently possible in stock Prosody) are invalidated just
like password-authenticated sessions are.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 06 Oct 2022 15:59:07 +0100 |
| parents | 12741:7b3deafb9162 |
| children | 12743:19113f232423 |
| files | plugins/mod_tokenauth.lua |
| diffstat | 1 files changed, 6 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_tokenauth.lua Thu Oct 06 11:12:57 2022 +0100 +++ b/plugins/mod_tokenauth.lua Thu Oct 06 15:59:07 2022 +0100 @@ -68,6 +68,12 @@ return nil, "not-authorized"; end + local account_info = usermanager.get_account_info(token_user, module.host); + local password_updated_at = account_info and account_info.password_updated; + if password_updated_at and password_updated_at > token_info.created then + return nil, "not-authorized"; + end + return token_info end
